I still think that such activities (certificate cracking, research into
any other security circumventing) should be forbidden unless
specifically allowed/ permission specifically received and documented so
that sites are agreeing to them. But that's only my opinion. Such
activities are a good idea, provided sites know who is doing what and
why. The idea of a specific VO for such activities, with special terms
where sites know exactly who is doing what and why - may be the way.
Linda
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Coles, J (Jeremy)
> Sent: 01 November 2007 11:41
> To: [log in to unmask]
> Subject: Re: Heinz' Challenge
>
> Dear All
>
> Further to my earlier mail I now have received responses from Bob
Jones
> and Erwin Laure (which given the comments earlier in the thread
deserve
> to be read by everyone).
>
> "Hi Jeremy,
> Erwin has summarized nicely our point of view on this subject (see
> attached email) and there are currently discussions going on about
what
> we need to change to avoid this situation in the future.
>
> Cheers, Bob."
>
> Erwin's summary:
>
> " Please let me clarify a bit: yes, Bob and myself were aware of the
> activity and encouraged it *as such*, we certainly didn't suggest,
> encourage, agree or whatsoever to use a certain VO for that - that's
> outside our mandate and I assume people are adhering to the AUPs they
> sign.
>
> From the thread it seems to me the biomed VO managers were not aware
of
>
> this activity and they certainly should have been informed. I think
it's
>
> up to the biomed VO managers now to assess whether this activity is
> inline with the goals of the biomed VO and let it go on, or it is not
> and make it stop. I will certainly help communicating whatever
decision
> you come up with."
>
> So, it is generally recognised that this situation has arisen due to
the
> interpretation of one user. That takes us back to the question Paul
> raised earlier in the thread and I'm sure that will feature in the
> follow up to this matter.
>
> I take the point about tickets being useless in this instance and will
> investigate (along with some other apparent problems). This is all
part
> of the process of building a more sustainable infrastructure.
>
> Jeremy
>
>
>
> > -----Original Message-----
> > From: Testbed Support for GridPP member institutes [mailto:TB-
> > [log in to unmask]] On Behalf Of Coles, J (Jeremy)
> > Sent: 01 November 2007 10:38
> > To: [log in to unmask]
> > Subject: Re: Heinz' Challenge
> >
> > Dear All
> >
> > I have further information on the code use and why the user thought
> > biomed an appropriate VO for it:
> >
> > " The main idea is to factor prime numbers in order to show how long
> it
> > would take to break a 768-bit code (also referred to as "sieving").
> > Since PKI certificates use 1024 or 2048 bit codes, and biomed has
> > typically the most severe security, I thought it would be fine to
use
> > the VO for that. However, if people do not agree with that opinion,
> > I'm happy to explore other solutions.
> >
> > Seems that some people were concerned since they thought that there
> > might be a price in USD awarded if a code is cracked. This is _not_
> the
> >
> > case, and the sieving exercise is pure computer science research."
> >
> > For this work Heinz has been working with Proj. Lenstra from the
EPFL,
> > one of the most well-known persons in the field of cryptography and
> > number sieving.
> >
> > And on the method employed:
> >
> > " ... one more point on number sieving. It is not "brute force" but
it
> > involves complex algorithms that reduces the actual run time of the
> > overall "challenge". One result of the work can be new more
efficient
> > sieving algorithms: important for PKI and GSI".
> >
> > The question now coming from within the biomed VO is whether based
on
> > this explanation sites would re-authorise the user or whether an
> > alternative route needs to be found for the activity - such as the
> > setting up of a new VO. Though I can probably guess your replies you
> > should let me know your opinions. Since we are not working in
> isolation,
> > once I've got a feel for the response here I will push the matter to
> the
> > ROC manager's for further discussion.
> >
> > Jeremy
> >
> >
> >
> > > -----Original Message-----
> > > From: Testbed Support for GridPP member institutes [mailto:TB-
> > > [log in to unmask]] On Behalf Of Alessandra Forti
> > > Sent: 01 November 2007 09:33
> > > To: [log in to unmask]
> > > Subject: Re: Heinz' Challenge
> > >
> > > Hi Jeremy,
> > >
> > > I'm not sure biomed was aware of this. I don't have those jobs on
> my
> > > cluster and I was keen to give Heinz the benefit of the doubt as I
> met
> > > him and seemed a reasonable guy. But this is even worst than I
> > expected.
> > > Since it comes from the management and violates all the rules of
> trust
> > > that this grid is built upon. I mean so long for policies and
AUPs.
> > They
> > > couldn't do more damage.
> > >
> > > I also agree with Kostas that "Sorry" is not enough.
> > >
> > > cheers
> > > alessandra
> > >
> > > Coles, J (Jeremy) wrote:
> > > > Hi Kostas/Graeme/All
> > > >
> > > > I agree that this needs to be escalated and it will be. First
> though
> > I
> > > > would like biomed representatives and Heinz to explain/respond -
I
> > can
> > > > not think of a justification on their side but that does not
mean
> > there
> > > > isn't one. Once everyone has responded directly (or if the
ticket
> > goes
> > > > without a proper response) then it can be taken further.
> > Tier-2s/sites
> > > > are of course able to decide themselves if they wish to take
more
> > > > immediate action as some have already done.
> > > >
> > > > Regards,
> > > > Jeremy
> > > >
> > > >
> > > >
> > > >> -----Original Message-----
> > > >> From: Testbed Support for GridPP member institutes [mailto:TB-
> > > >> [log in to unmask]] On Behalf Of Kostas Georgiou
> > > >> Sent: 01 November 2007 02:19
> > > >> To: [log in to unmask]
> > > >> Subject: Re: Heinz' Challenge
> > > >>
> > > >> On Thu, Nov 01, 2007 at 12:19:26AM +0000, Graeme Stewart wrote:
> > > >>
> > > >>> From the CIC portal, biomed described itself as:
> > > >>>
> > > >>> "These VO covers the areas related to health sciences.
> Currently,
> > it
> > > >>> is divided in 3 sectors: medical imaging, bioinformatics and
> drug
> > > >>> discovery."
> > > >>>
> > > >>> We support the VO for it to engage in _that_ work, and we're
> happy
> > > > to
> > > >>> have done work related to malaria, avian flu, etc. However, I
> > don't
> > > >>> see anything about rsa768 factorisation.
> > > >>>
> > > >>> So, this is, to my mind, even worse. This is not just Heinz
> being
> > a
> > > >>> loose cannon, but sites being conned by top level EGEE
> management
> > > >>> into running jobs to which they had in no way agreed to run.
> > > >>>
> > > >>> The problem was then exacerbated by the way that Heinz wrote
the
> > > >>> code, which resulted in biomed being able to grab far more of
> > many,
> > > >>> many clusters in the UK than was reasonable. (And so much for
> EGEE
> > > >>> promoting push model RBs - just send in the pilots and watch
our
> > > >>> fairsharing go all to hell.)
> > > >> This is exactly what I was going to say (better worded and
> probably
> > > > far
> > > >> more polite though).
> > > >>
> > > >>> Frankly, as the UK, I think we should give them a bloody
rocket
> > for
> > > >>> this. They've shown huge disrespect to sites - and how on
earth
> > can
> > > >>> they expect other EGEE users and VOs to play by the rules when
> > then
> > > >>> engage in such a gross violation of our trust?
> > > >> ...
> > > >>> We haven't banned biomed - we've banned Heinz. And I am in no
> > hurry
> > > >>> to unban him. I'd expect an apology at the very least, as well
> as
> > an
> > > >>> assurance that this will not happen again.
> > > >> People should keep in mind that we are going to have similar
> cases
> > in
> > > >> the future. If our responce today is going to be "a sorry is
> > enough"
> > > >> what is going to stop the next user doing the same thing
tomorrow
> > > >> considering how hard it is for us to spot an abuse? Unless
there
> is
> > > >> a strong repsonce people will think "If I am not found (quite
> > likely)
> > > >> great, if I am found a sorry will solve everything".
> > > >>
> > > >> Cheers,
> > > >> Kostas
> > > >>
> > > >> PS> BTW if the management agrees that breaking rsa768 is fine
> then
> > > > I'll
> > > >> have a go as well or is it only Heinz/biomed that can have a
go?
> > > >
> > >
> > > --
> > > ***********************************
> > > * Alessandra Forti *
> > > * NorthGrid Technical Coordinator *
> > > * University of Manchester *
> > > ***********************************
|